e{12}.c: use GLV and GLS methods even in variable-length multiplication.

supranational · Dec 8, 2020 · 79951b4 · 79951b4
1 parent 41e7e49
commit 79951b4
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 8 deletions.
diff --git a/src/e1.c b/src/e1.c
@@ -454,6 +454,33 @@ void blst_sign_pk2_in_g2(unsigned char out[96], POINTonE1_affine *sig,
     }
 }
 
+void blst_p1_mult(POINTonE1 *out, const POINTonE1 *a,
+                                  const byte *scalar, size_t nbits)
+{
+    if (nbits < 192) {
+        POINTonE1_mult_w4(out, a, scalar, nbits);
+    } else if (nbits < 256) {
+        union { vec256 l; pow256 s; } val;
+        size_t i, j, top, mask = (size_t)0 - 1;
+
+        /* this is not about constant-time-ness, but branch optimization */
+        for (top = (nbits + 7)/8, i=0, j=0; i<sizeof(val.s);) {
+            val.s[i++] = scalar[j] & mask;
+            mask = 0 - ((i - top) >> (8*sizeof(top)-1));
+            j += 1 & mask;
+        }
+
+        if (check_mod_256(val.s, BLS12_381_r))  /* z^4 is the formal limit */
+            POINTonE1_mult_glv(out, a, val.s);
+        else    /* should never be the case, added for formal completeness */
+            POINTonE1_mult_w5(out, a, scalar, nbits);
+
+        vec_zero(val.l, sizeof(val));
+    } else {    /* should never be the case, added for formal completeness */
+        POINTonE1_mult_w5(out, a, scalar, nbits);
+    }
+}
+
 int blst_p1_is_inf(const POINTonE1 *p)
 {   return (int)vec_is_zero(p->Z, sizeof(p->Z));   }
 

diff --git a/src/e2.c b/src/e2.c
@@ -531,6 +531,33 @@ void blst_sign_pk2_in_g1(unsigned char out[192], POINTonE2_affine *sig,
     }
 }
 
+void blst_p2_mult(POINTonE2 *out, const POINTonE2 *a,
+                                  const byte *scalar, size_t nbits)
+{
+    if (nbits < 160) {
+        POINTonE2_mult_w4(out, a, scalar, nbits);
+    } else if (nbits < 256) {
+        union { vec256 l; pow256 s; } val;
+        size_t i, j, top, mask = (size_t)0 - 1;
+
+        /* this is not about constant-time-ness, but branch optimization */
+        for (top = (nbits + 7)/8, i=0, j=0; i<sizeof(val.s);) {
+            val.s[i++] = scalar[j] & mask;
+            mask = 0 - ((i - top) >> (8*sizeof(top)-1));
+            j += 1 & mask;
+        }
+
+        if (check_mod_256(val.s, BLS12_381_r))  /* z^4 is the formal limit */
+            POINTonE2_mult_gls(out, a, val.s);
+        else    /* should never be the case, added for formal completeness */
+            POINTonE2_mult_w5(out, a, scalar, nbits);
+
+        vec_zero(val.l, sizeof(val));
+    } else {    /* should never be the case, added for formal completeness */
+        POINTonE2_mult_w5(out, a, scalar, nbits);
+    }
+}
+
 int blst_p2_is_inf(const POINTonE2 *p)
 {   return (int)vec_is_zero(p->Z, sizeof(p->Z));   }
 

diff --git a/src/exports.c b/src/exports.c
@@ -235,10 +235,6 @@ void blst_p1_add_or_double_affine(POINTonE1 *out, const POINTonE1 *a,
 void blst_p1_double(POINTonE1 *out, const POINTonE1 *a)
 {   POINTonE1_double(out, a);   }
 
-void blst_p1_mult(POINTonE1 *out, const POINTonE1 *a,
-                                  const byte *scalar, size_t nbits)
-{   POINTonE1_mult_w5(out, a, scalar, nbits);   }
-
 int blst_p1_affine_is_equal(const POINTonE1_affine *a,
                             const POINTonE1_affine *b)
 {   return (int)vec_is_equal(a, b, sizeof(*a));   }
@@ -261,10 +257,6 @@ void blst_p2_add_or_double_affine(POINTonE2 *out, const POINTonE2 *a,
 void blst_p2_double(POINTonE2 *out, const POINTonE2 *a)
 {   POINTonE2_double(out, a);   }
 
-void blst_p2_mult(POINTonE2 *out, const POINTonE2 *a,
-                                  const byte *scalar, size_t nbits)
-{   POINTonE2_mult_w5(out, a, scalar, nbits);   }
-
 int blst_p2_affine_is_equal(const POINTonE2_affine *a,
                             const POINTonE2_affine *b)
 {   return (int)vec_is_equal(a, b, sizeof(*a));   }